MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fb154482ef8ae49941c9ed13063294cd4f97e28e5dd8b72e1a082398e46be21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 14

Intelligence 14 IOCs 5 YARA 16 File information Comments

SHA256 hash:	3fb154482ef8ae49941c9ed13063294cd4f97e28e5dd8b72e1a082398e46be21
SHA3-384 hash:	d56c2dad4f2ce5d4c28b6b8323ad80672f709d31ce8bd388d06d686646fc5dce05db3725731728266799e0dee2ca4f18
SHA1 hash:	28a0557ae3c649abaab9d4ce5963c11c96b9c9fa
MD5 hash:	6cd2e1419b2b32c7cfa8a65237820670
humanhash:	oklahoma-washington-robert-pasta
File name:	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	6'276'343 bytes
First seen:	2022-01-27 20:45:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	98304:xtCvLUBsgtNN3RZVqRCGIiAHlz5sn4GQvrdZOfTa/bxA4mfx6c0QQ:xuLUCgtNN3RmCGic4GkEfO/bFwEZ
Threatray	1'901 similar samples on MalwareBazaar
TLSH	T1DF563320BCB4EE79D44021395B8893F966FE534C163AEECB7B595F0C6A3A691C31F406
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
65.108.101.231:4974

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.101.231:4974	https://threatfox.abuse.ch/ioc/351941/
5.149.255.205:40800	https://threatfox.abuse.ch/ioc/351942/
91.243.59.166:5240	https://threatfox.abuse.ch/ioc/352124/
http://tzgl.org/test2/get.php	https://threatfox.abuse.ch/ioc/352802/
http://bravoingblitheadoptable.com/v4/api_t.php	https://threatfox.abuse.ch/ioc/352803/

Intelligence

File Origin

# of uploads :

# of downloads :

453

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DLInjector04

Link:

https://www.capesandbox.com/analysis/224680/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Malware.Socelars-9901327-1

Win.Malware.Socelars-9901374-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Searching for the window

Running batch commands

Sending a custom TCP request

Searching for synchronization primitives

Launching a process

Creating a window

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

DNS request

Sending an HTTP GET request

Reading critical registry keys

Launching cmd.exe command interpreter

Query of malicious DNS domain

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5368/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f304916a7929f66a1c5aa4/reports/c57998d6-e481-46bb-99a0-c905d6708052/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bsymem

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed4edebd-e42a-4971-b384-ed77daea1435

Result

Threat name:

RedLine SmokeLoader Socelars Vidar onlyL

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/929355

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3fb154482ef8ae49941c9ed13063294cd4f97e28e5dd8b72e1a082398e46be21/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2021-10-18 01:35:51 UTC

File Type:

PE (Exe)

Extracted files:

155

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h6yvisbo7cxetfa4t3itayzjjtkps7ri4xoyw4xbucbdtdsgxyqq._file

Verdict:

malicious

Amadey

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

Amadey

3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586

Amadey

48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800

Amadey

6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3

Amadey

70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953

Amadey

7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a

Amadey

+ 1'891 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:redline family:socelars botnet:ani botnet:media17 aspackv2 evasion infostealer spyware stealer trojan

Link:

https://tria.ge/reports/220127-zkafgaagf6/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
194.104.136.5:46013
91.121.67.60:2151

Unpacked files

SH256 hash:

a96e486b8fce8777c47b8cb34e7cc24708b3728c785775a0f3ce73b4045b690d

MD5 hash:

d02319bd2818d7362ff9e83282cbd7bc

SHA1 hash:

2729e315497fce193fe9f8045ad6a133bd8fd87f

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597

MD5 hash:

1651d2eee32c15f79fd5f2e42551f4dc

SHA1 hash:

f254b220184e991792401f4818bcae33ac37ad4f

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

5f0b8203aa3721553b6de2f1a4c2243ad6a324f8817cf8a17e6f0968e16e1753

MD5 hash:

b840862085ee24884ffe5052cf8d8438

SHA1 hash:

9417720327bf821fb5c88b09f9d7bcc6ccf09a8e

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052

MD5 hash:

6449aa2e023c5931ac91815ca54225ed

SHA1 hash:

65b5f4df2c28472469ddf924e6b0d0a61394c612

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

35d23ebd8608350a4dfdf3ba98ca69c5b779d7b27310362cb12694ebf1ff3f1f

MD5 hash:

a7b5651d25cb157da61e17dd2d75f393

SHA1 hash:

0f02a720fa29ca16d16cb5d506fb7e1f725bb7c9

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

c261b9330518fe2fce0c1fd22f9177dd436e7ee833db1bf4a223cf7684e1206f

MD5 hash:

28f19b5632e445c9644ac79ce013b00f

SHA1 hash:

f62fcc2bf0a582e8baa7d73fbd7256a8d2acfaf2

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128

MD5 hash:

de1b3c28ea026c0ede620dd78199ddc5

SHA1 hash:

ee402371a36bff44c765323ccd8c7e4a56bc8d12

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a

MD5 hash:

c83860b0db60b9f69468301ee2a58fca

SHA1 hash:

d826cc0323eb208e36b3e9ef00225430c6f031e1

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

c524c05814a01f8adc4d803cafe568cee665085590e92a627efb77e82a6d9b1d

MD5 hash:

f4dff6e00213dbc7f13e7211895f0a53

SHA1 hash:

bf44e57e36bb9241e6f865ef54dc0b34bb8550ce

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

dfdee8a4b23e17d1e5ee73e381aef33e00c7230cae2bd8fe3a333c9d7a54a9ca

MD5 hash:

380d3c2f9e7a9d712bbd6b160a00ea71

SHA1 hash:

bc465e91b51c32b3b55bac47f8eede129a191c5e

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

86304ad674049058df626b6a0a6cab631af6f2466ffd727def5e06533b1f08b6

MD5 hash:

74164e8cc1686262b17efdeaf5847b29

SHA1 hash:

b21fd54ec6670299f91a9fc502605dce7e0ee4b1

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

a35c57c48ea797dc9f1a891aed4b2cef9f4bbacbf24fe317164dbaa02c43bcb8

MD5 hash:

57d5ff3df107c648b937d9a9f2b2913a

SHA1 hash:

976981fdecd8a4eba69470e48515e1dfb8183d19

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

a27b5ef4dcab3686963107ed23d481aeea84a9008888e4c8f3727ea8f2b2bf54

MD5 hash:

7ff4333ba60c010d335f96aa453f601b

SHA1 hash:

8daa168ec8a3c47c7d108d59223c70fc4a7d0a86

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

a25fdcb0c8ce88ca032f6b165c8d9f645331f1c98b03662f98b0fa726bae2b20

MD5 hash:

0ca5539055d7a7d0884f50ebab44f3e6

SHA1 hash:

5b6b478893a0bf63c27d25975680392676273e11

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4

MD5 hash:

8f54c1adeae8ee1f05f9e4b69726de9b

SHA1 hash:

3525571bc3a4b55493ea309594e080b1c6905868

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

e56d237d2102ee42cf200cb8312b09c497eb1fc8e098c61ebba4daf9a7ff7aea

MD5 hash:

dfdf56832f4c12aaff4c0f9049b99496

SHA1 hash:

2de86ad3568b3d275b3e4cf57bf0286cfef68309

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d

MD5 hash:

7dc5f09dde69421bd8581b40d994ccd7

SHA1 hash:

23788ae65ec05a9e542636c6c4e1d9d6be26d05c

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339

MD5 hash:

ae22fdfdaf90dc3174ebe91333125e1e

SHA1 hash:

3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

Parent samples :

40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d

SH256 hash:

630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54

MD5 hash:

cbbdd5a549a37602019203e20a21866a

SHA1 hash:

50c80b98548b24565decfa94c034b43b753a197a

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

a3105fa467202e8db5083789211f7eff93c00e98d7b920ca54603afcceb7aa8d

MD5 hash:

10afc080415ab7684c680c10b3a428ca

SHA1 hash:

b074f2767838e42e2d8f379086ba1168581d766c

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

33ddf078625e06e837d2b374cc8ad33543558cfc26e4e088ea089e031f9657d0

MD5 hash:

fff5147460605bc4d130de39553e3c74

SHA1 hash:

04d3d6b610b39423da7171182e477633c7f465e3

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

48f5d83a56d29d4fee28db007939d3e021b85c9ca5a38b308e313ee527bb9a4c

MD5 hash:

33e38099c44c73cb37318e15317e3723

SHA1 hash:

06768ffe3c0d2e4d43f99a464fefe8c9b139a1ec

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

90012373356493fe5269558aea652854f3485d758c3a902b135c7039519c0bee

MD5 hash:

09d82b36410fc1b080cf3cd51c970034

SHA1 hash:

b9c7e6e5ac1d1bf799e7548366ef65a2237b38b0

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

SH256 hash:

3fb154482ef8ae49941c9ed13063294cd4f97e28e5dd8b72e1a082398e46be21

MD5 hash:

6cd2e1419b2b32c7cfa8a65237820670

SHA1 hash:

28a0557ae3c649abaab9d4ce5963c11c96b9c9fa

Link:

https://www.unpac.me/results/5a31545d-fbf6-4845-a561-a978f72da420/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3fb154482ef8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3fb154482ef8ae49941c9ed13063294cd4f97e28e5dd8b72e1a082398e46be21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Arechclient2 Create hunting rule
Author:	ditekSHen
Description:	Detects Arechclient2 RAT

Rule name:	MALWARE_Win_DLInjector03 Create hunting rule
Author:	ditekSHen
Description:	Detects unknown loader / injector

Rule name:	MALWARE_Win_OnlyLogger Create hunting rule
Author:	ditekSHen
Description:	Detects OnlyLogger loader variants

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_b Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/224680/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample